Contents:
In a new joint cybersecurity advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released information on the AvosLocker ransomware gang, that has been linked to attacks against critical infrastructure sectors in the U.S., some of them detected as recently as May 2023.
Beware of AvosLocker’s Techniques
The advisory contains information on the ransomware-as-a-service (RaaS) group’s tactics, techniques, and even procedures (TTPs) and detection methods associated with them.
AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools… AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.
CISA & FBI (Source)
What Tactics and Tools Does the Threat Group Employ?
In order to avoid discovery, the ransomware strain has used complex tactics to disable antivirus protection since it first appeared on the scene in mid-2021. It impacts environments running Windows, Linux, and VMware ESXi.
The use of open-source tools and living off the land (LotL) strategies, which leave no traces that could be used to identify the perpetrator, is a defining characteristic of AvosLocker attacks. Additionally, genuine data exfiltration tools like FileZilla and Rclone as well as tunnelling tools like Chisel and Ligolo are used.
Cobalt Strike and Sliver are utilized for command-and-control (C2) whereas Lazagne and Mimikatz are employed for credential theft. Custom PowerShell and Windows Batch scripts are also used in the attacks for lateral movement, privilege escalation, and disabling security measures.
The agencies noted that affiliates of AvosLocker have uploaded and used custom web shells to enable network access. Another important component of the operation is an executable named NetMonitor.exe that impersonates a network monitoring tool, but in reality, it functions as a reverse proxy to allow the threat actors to connect to the host from outside the victim’s network.
Critical infrastructure organizations are advised by CISA and the FBI to take the necessary precautions to lessen the likelihood and effects of AvosLocker and other ransomware outbreaks.
This includes:
- Adopting application controls;
- Limiting the use of RDP and other remote desktop services;
- Restricting the use of PowerShell;
- Requiring phishing-resistant MFA (multi-factor authentication);
- Segmenting networks;
- Keeping all systems up-to-date;
- Maintaining periodic offline backups.
In 2023, ransomware attacks have witnessed a major surge, and are now one of the most common tactics employed by threat actors. We advise you to pay attention to such attempts and take prerequisite measures to stay protected.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.